New IoT-standards must protect cyber security for products and equipment connected to the internet.

14 July 2020

Internet of Things (IoT) spreads at lightning speed and still more product types and production equipment are connected to the internet. The problem is that at this time no requirements are made on cyber security when products and equipment are connected to the internet.  It is up to the producers themselves to assess the security aspect, and many understandably ask the question: ”When is it safe enough what we do?”

For IT systems, computers, networks, and servers, a number of cyber security standards already exist. However, there are shortcomings when it comes to standards for operating equipment such as video surveillance, process plants, ventilation systems, and production equipment. These are areas where it becomes increasingly important to impose requirements regarding cyber security in the form of access control, software updates, and monitoring.

New rules on the way

ENISA (European Network and Information Security Agency) is in the process of developing cyber security regulations for products with built-in data communication. The ENISA regulation are not expected to be ready until 2023.

Jeppe Pilgaard Bjerre, cyber security specialist at FORCE Technology, says:

”Currently, we do not know much about the content of the upcoming regulations other than they will contain requirements regarding the products’ cyber security – requirements which the producers must deal with. Once the rules have been issued, efforts will be made to find relevant standards that can be used for requirement compliance e.g. the ISO 62443 standard."  

On a daily basis, he works with cyber security and advises customers on how to protect their IoT products against cyber-attacks. 

”In Denmark, we are very trusting and do not expect people to take advantage of us, but it is becoming increasingly important to take cyber security into account as still more products and production equipment become connected to the internet and thus potentially become more vulnerable to cyber-attacks,” says Jeppe Pilgaard Bjerre.

Keeps pace via standardisation work 

For Jeppe Pilgaard Bjerre it is essential to keep track of what is happening in the cyber security field so that he can give optimal advice to customers. Therefore, he is a member of ISO/IEC JTC 1/SC 41 “Internet of Things” (which also includes cyber security) and is a member of the Danish Standard Committee S-840 “Internet of Things”.

”In the S-840 committee, we are working to get a more uniform picture of what cyber security is and should be. The standards must include rules for what the producers as a minimum must do to ensure cyber security and close most common vulnerabilities. The committee does not deal with things like patient safety or banking security. The focus is more on finding the lowest common denominator, for example not too simple passwords that can easily be hacked so that you avoid e.g. DDoS attacks (Distributed Denial of Service). This kind of cyber-attack has affected websites of large companies over the past couple of years,” says Jeppe Pilgaard Bjerre.

The challenge

As technology is rapidly developing in this area, it is a real challenge to develop cyber security standards:
”One should take care that the standard does not become too specific in case the technology turns in a completely different direction. Neither should we make too specific requirements that restrict the product developers.”

One of the things that Jeppe Pilgaard Bjerre would like to highlight in his standardisation work relates to how companies can detect IT vulnerabilities in their products and equipment:

”When marketing a new product it is a good idea to create a communication channel where users can report back to you if they have discovered vulnerabilities in your product. That way, we can jointly raise the security level in Denmark.”